Skip to main content

Banner Self Service

2 CVEs product

Monthly

CVE-2026-47106 MEDIUM This Month

Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Banner Self Service
NVD
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-32856 MEDIUM This Month

Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.

XSS Banner Self Service
NVD
CVSS 4.0
5.1
EPSS
0.1%
EPSS 0% CVSS 5.1
MEDIUM This Month

Stored cross-site scripting in Ellucian Banner Self-Service before the April T2 2025 release (2025-04-23) allows low-privileged authenticated Banner ERP users to persist malicious JavaScript in faculty and course data fields via missing HTML encoding at the DOM insertion point. Payloads planted in fields such as faculty displayName, emailAddress, subjectDescription, or courseTitle are subsequently served through the unauthenticated getFacultyMeetingTimes API and execute in any victim's browser that renders course search results. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV.

XSS Banner Self Service
NVD
EPSS 0% CVSS 5.1
MEDIUM This Month

Reflected XSS in Ellucian Banner Self-Service allows unauthenticated remote attackers to execute arbitrary JavaScript in a victim's browser by injecting unsanitized content via the `toDateFormat` parameter of the publicly accessible `dateConverter` endpoint. The CVSS vector (PR:N, S:C) confirms no credentials are needed to craft the attack and that the impact crosses security boundaries into the victim's browser session, enabling session hijacking or credential theft against higher-education users. No public exploit has been identified and this is not listed in CISA KEV, but the unauthenticated endpoint and simple social-engineering delivery path make this practically exploitable with low attacker skill.

XSS Banner Self Service
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy